public async Task LDAPPropertyProcessor_ReadComputerProperties_TestBadPaths()
{
var mock = new MockSearchResultEntry("CN\u003dWIN10,OU\u003dTestOU,DC\u003dtestlab,DC\u003dlocal",
new Dictionary <string, object>
{
{ "description", "Test" },
{ "useraccountcontrol", "abc" },
{ "lastlogon", "132673011142753043" },
{ "lastlogontimestamp", "132670318095676525" },
{ "operatingsystem", "Windows 10 Enterprise" },
{ "admincount", "c" },
{
"sidhistory", new[]
{
Array.Empty <byte>()
}
},
{
"msds-allowedToDelegateTo", new[]
{
"ldap/PRIMARY.testlab.local/testlab.local",
"ldap/PRIMARY.testlab.local",
"ldap/PRIMARY"
}
},
{ "pwdlastset", "132131667346106691" },
{
"serviceprincipalname", new[]
{
"WSMAN/WIN10",
"WSMAN/WIN10.testlab.local",
"RestrictedKrbHost/WIN10",
"HOST/WIN10",
"RestrictedKrbHost/WIN10.testlab.local",
"HOST/WIN10.testlab.local"
}
}
}, "S-1-5-21-3130019616-2776909439-2417379446-1101", Label.Computer);
var processor = new LDAPPropertyProcessor(new MockLDAPUtils());
var test = await processor.ReadComputerProperties(mock);
var props = test.Props;
var keys = props.Keys;
Assert.Contains("unconstraineddelegation", keys);
Assert.Contains("enabled", keys);
Assert.Contains("trustedtoauth", keys);
Assert.False((bool)props["unconstraineddelegation"]);
Assert.True((bool)props["enabled"]);
Assert.False((bool)props["trustedtoauth"]);
Assert.Contains("sidhistory", keys);
Assert.Empty(props["sidhistory"] as string[]);
}
private async Task <Computer> ProcessComputerObject(ISearchResultEntry entry,
ResolvedSearchResult resolvedSearchResult, Channel <CSVComputerStatus> compStatusChannel)
{
var ret = new Computer
{
ObjectIdentifier = resolvedSearchResult.ObjectId
};
ret.Properties.Add("domain", resolvedSearchResult.Domain);
ret.Properties.Add("name", resolvedSearchResult.DisplayName);
ret.Properties.Add("distinguishedname", entry.DistinguishedName.ToUpper());
ret.Properties.Add("domainsid", resolvedSearchResult.DomainSid);
ret.Properties.Add("highvalue", false);
ret.Properties.Add("samaccountname", entry.GetProperty(LDAPProperties.SAMAccountName));
var hasLaps = entry.HasLAPS();
ret.Properties.Add("haslaps", hasLaps);
if ((_methods & ResolvedCollectionMethod.ACL) != 0)
{
ret.Aces = _aclProcessor.ProcessACL(resolvedSearchResult, entry).ToArray();
ret.IsACLProtected = _aclProcessor.IsACLProtected(entry);
}
if ((_methods & ResolvedCollectionMethod.Group) != 0)
{
var pg = entry.GetProperty(LDAPProperties.PrimaryGroupID);
ret.PrimaryGroupSID = GroupProcessor.GetPrimaryGroupInfo(pg, resolvedSearchResult.ObjectId);
}
if ((_methods & ResolvedCollectionMethod.ObjectProps) != 0)
{
var computerProps = await _ldapPropertyProcessor.ReadComputerProperties(entry);
ret.Properties = ContextUtils.Merge(ret.Properties, computerProps.Props);
if (_context.Flags.CollectAllProperties)
{
ret.Properties = ContextUtils.Merge(_ldapPropertyProcessor.ParseAllProperties(entry),
ret.Properties);
}
ret.AllowedToDelegate = computerProps.AllowedToDelegate;
ret.AllowedToAct = computerProps.AllowedToAct;
ret.HasSIDHistory = computerProps.SidHistory;
}
if (!_methods.IsComputerCollectionSet())
{
return(ret);
}
var apiName = _context.RealDNSName != null
? entry.GetDNSName(_context.RealDNSName)
: resolvedSearchResult.DisplayName;
var availability = await _computerAvailability.IsComputerAvailable(resolvedSearchResult, entry);
if (!availability.Connectable)
{
await compStatusChannel.Writer.WriteAsync(availability.GetCSVStatus(resolvedSearchResult.DisplayName),
_cancellationToken);
return(ret);
}
var samAccountName = entry.GetProperty(LDAPProperties.SAMAccountName)?.TrimEnd('$');
if ((_methods & ResolvedCollectionMethod.Session) != 0)
{
var sessionResult = await _computerSessionProcessor.ReadUserSessions(apiName,
resolvedSearchResult.ObjectId, resolvedSearchResult.Domain);
ret.Sessions = sessionResult;
if (_context.Flags.DumpComputerStatus)
{
await compStatusChannel.Writer.WriteAsync(new CSVComputerStatus
{
Status = sessionResult.Collected ? StatusSuccess : sessionResult.FailureReason,
Task = "NetSessionEnum",
ComputerName = resolvedSearchResult.DisplayName
}, _cancellationToken);
}
}
if ((_methods & ResolvedCollectionMethod.LoggedOn) != 0)
{
var privSessionResult = _computerSessionProcessor.ReadUserSessionsPrivileged(apiName,
samAccountName, resolvedSearchResult.ObjectId);
ret.PrivilegedSessions = privSessionResult;
if (_context.Flags.DumpComputerStatus)
{
await compStatusChannel.Writer.WriteAsync(new CSVComputerStatus
{
Status = privSessionResult.Collected ? StatusSuccess : privSessionResult.FailureReason,
Task = "NetWkstaUserEnum",
ComputerName = resolvedSearchResult.DisplayName
}, _cancellationToken);
}
var registrySessionResult = _computerSessionProcessor.ReadUserSessionsRegistry(apiName,
resolvedSearchResult.Domain, resolvedSearchResult.ObjectId);
ret.RegistrySessions = registrySessionResult;
if (_context.Flags.DumpComputerStatus)
{
await compStatusChannel.Writer.WriteAsync(new CSVComputerStatus
{
Status = privSessionResult.Collected ? StatusSuccess : privSessionResult.FailureReason,
Task = "RegistrySessions",
ComputerName = resolvedSearchResult.DisplayName
}, _cancellationToken);
}
}
if (!_methods.IsLocalGroupCollectionSet())
{
return(ret);
}
try
{
using var server = new SAMRPCServer(resolvedSearchResult.DisplayName, samAccountName,
resolvedSearchResult.ObjectId, resolvedSearchResult.Domain);
if ((_methods & ResolvedCollectionMethod.LocalAdmin) != 0)
{
ret.LocalAdmins = server.GetLocalGroupMembers((int)LocalGroupRids.Administrators);
if (_context.Flags.DumpComputerStatus)
{
await compStatusChannel.Writer.WriteAsync(new CSVComputerStatus
{
Status = ret.LocalAdmins.Collected ? StatusSuccess : ret.LocalAdmins.FailureReason,
Task = "AdminLocalGroup",
ComputerName = resolvedSearchResult.DisplayName
}, _cancellationToken);
}
}
if ((_methods & ResolvedCollectionMethod.DCOM) != 0)
{
ret.DcomUsers = server.GetLocalGroupMembers((int)LocalGroupRids.DcomUsers);
if (_context.Flags.DumpComputerStatus)
{
await compStatusChannel.Writer.WriteAsync(new CSVComputerStatus
{
Status = ret.DcomUsers.Collected ? StatusSuccess : ret.DcomUsers.FailureReason,
Task = "DCOMLocalGroup",
ComputerName = resolvedSearchResult.DisplayName
}, _cancellationToken);
}
}
if ((_methods & ResolvedCollectionMethod.PSRemote) != 0)
{
ret.PSRemoteUsers = server.GetLocalGroupMembers((int)LocalGroupRids.PSRemote);
if (_context.Flags.DumpComputerStatus)
{
await compStatusChannel.Writer.WriteAsync(new CSVComputerStatus
{
Status = ret.PSRemoteUsers.Collected ? StatusSuccess : ret.PSRemoteUsers.FailureReason,
Task = "PSRemoteLocalGroup",
ComputerName = resolvedSearchResult.DisplayName
}, _cancellationToken);
}
}
if ((_methods & ResolvedCollectionMethod.RDP) != 0)
{
ret.RemoteDesktopUsers = server.GetLocalGroupMembers((int)LocalGroupRids.RemoteDesktopUsers);
if (_context.Flags.DumpComputerStatus)
{
await compStatusChannel.Writer.WriteAsync(new CSVComputerStatus
{
Status = ret.RemoteDesktopUsers.Collected
? StatusSuccess
: ret.RemoteDesktopUsers.FailureReason,
Task = "RDPLocalGroup",
ComputerName = resolvedSearchResult.DisplayName
});
}
}
}
catch (Exception e)
{
await compStatusChannel.Writer.WriteAsync(new CSVComputerStatus
{
Status = e.ToString(),
ComputerName = resolvedSearchResult.DisplayName,
Task = "SAMRPCServerInit"
}, _cancellationToken);
ret.DcomUsers = new LocalGroupAPIResult
{
Collected = false,
FailureReason = "SAMRPCServerInit Failed"
};
ret.PSRemoteUsers = new LocalGroupAPIResult
{
Collected = false,
FailureReason = "SAMRPCServerInit Failed"
};
ret.LocalAdmins = new LocalGroupAPIResult
{
Collected = false,
FailureReason = "SAMRPCServerInit Failed"
};
ret.RemoteDesktopUsers = new LocalGroupAPIResult
{
Collected = false,
FailureReason = "SAMRPCServerInit Failed"
};
}
return(ret);
}
public async Task LDAPPropertyProcessor_ReadComputerProperties_HappyPath()
{
//TODO: Add coverage for allowedtoact
var mock = new MockSearchResultEntry("CN\u003dWIN10,OU\u003dTestOU,DC\u003dtestlab,DC\u003dlocal",
new Dictionary <string, object>
{
{ "description", "Test" },
{ "useraccountcontrol", 0x1001000.ToString() },
{ "lastlogon", "132673011142753043" },
{ "lastlogontimestamp", "132670318095676525" },
{ "operatingsystem", "Windows 10 Enterprise" },
{ "operatingsystemservicepack", "1607" },
{ "admincount", "c" },
{
"sidhistory", new[]
{
Helpers.B64ToBytes("AQUAAAAAAAUVAAAAIE+Qun9GhKV2SBaQUQQAAA==")
}
},
{
"msds-allowedtodelegateto", new[]
{
"ldap/PRIMARY.testlab.local/testlab.local",
"ldap/PRIMARY.testlab.local",
"ldap/PRIMARY"
}
},
{ "pwdlastset", "132131667346106691" },
{
"serviceprincipalname", new[]
{
"WSMAN/WIN10",
"WSMAN/WIN10.testlab.local",
"RestrictedKrbHost/WIN10",
"HOST/WIN10",
"RestrictedKrbHost/WIN10.testlab.local",
"HOST/WIN10.testlab.local"
}
}
}, "S-1-5-21-3130019616-2776909439-2417379446-1101", Label.Computer);
var processor = new LDAPPropertyProcessor(new MockLDAPUtils());
var test = await processor.ReadComputerProperties(mock);
var props = test.Props;
var keys = props.Keys;
//UAC
Assert.Contains("enabled", keys);
Assert.Contains("unconstraineddelegation", keys);
Assert.Contains("lastlogon", keys);
Assert.Contains("lastlogontimestamp", keys);
Assert.Contains("pwdlastset", keys);
Assert.True((bool)props["enabled"]);
Assert.False((bool)props["unconstraineddelegation"]);
Assert.Contains("lastlogon", keys);
Assert.Equal(1622827514, (long)props["lastlogon"]);
Assert.Contains("lastlogontimestamp", keys);
Assert.Equal(1622558209, (long)props["lastlogontimestamp"]);
Assert.Contains("pwdlastset", keys);
Assert.Equal(1568693134, (long)props["pwdlastset"]);
//AllowedToDelegate
Assert.Single(test.AllowedToDelegate);
Assert.Contains(new TypedPrincipal
{
ObjectIdentifier = "S-1-5-21-3130019616-2776909439-2417379446-1001",
ObjectType = Label.Computer
}, test.AllowedToDelegate);
//Other Stuff
Assert.Contains("serviceprincipalnames", keys);
Assert.Equal(6, (props["serviceprincipalnames"] as string[]).Length);
Assert.Contains("operatingsystem", keys);
Assert.Equal("Windows 10 Enterprise 1607", props["operatingsystem"] as string);
Assert.Contains("description", keys);
Assert.Equal("Test", props["description"] as string);
//SidHistory
Assert.Contains("sidhistory", keys);
var sh = props["sidhistory"] as string[];
Assert.Single(sh);
Assert.Contains("S-1-5-21-3130019616-2776909439-2417379446-1105", sh);
Assert.Single(test.SidHistory);
Assert.Contains(new TypedPrincipal
{
ObjectIdentifier = "S-1-5-21-3130019616-2776909439-2417379446-1105",
ObjectType = Label.User
}, test.SidHistory);
}
